We walk up to a door and scan our badge. The door opens. We don't even give it a second thought. It's just there: security. Protecting assets should be the number-one job of all IT professionals whether it's the database, operating system, people, or physical access to the servers themselves. We should question when we see people that don't belong in the data center or we have never seen before.
Good physical security uses the following policies, at a minimum:
Require a badge to enter the data center. For smaller companies where this is not possible, it should be under lock-and-key and available on an as-needed basis. The door should never be left open for any reason. Where possible, an entrance control service should be established.
All systems should require console access to gain root/administrator access. This will force everyone wanting administrative rights to be physically in the data center and easier to track.
Cameras should be used where practical. Even a small shop can afford a camera today. Stream the data feed to a manager's PC or set up a small TV.
Make vendors and people who normally belong in the data center sign a sign-in sheet. This will tell who was there, when, and what they were doing. In addition, they should be escorted during their stay.
The data center should never have a window in it. I have seen many data centers with windows in them. This is a major security problem.
This should go without saying, but unfortunately I have to say it. The data center should be alarmed for fire and theft. I have seen small companies that use a "closet" as their data center and they do not alarm it.
For small companies that use a "closet" as a data center, use a steel door. It will protect access better than a wood door.
Don't hang a sign on the door that says "Data Center." Make it inconspicuous and hard to find.
And in preparation for that disastrous day, have a contingency plan. What would you do if your equipment were stolen?
All policies must be in writing and the entire organization trained on the policies. Individuals must sign a form stating they were trained and a copy kept on file.
I once worked for a midsized company where it was announced that we were merging with another company. Many people were angry about the merger. We noticed one day that someone had powered off a set of disk drives. At first, I didn't think that anyone would do that on purpose. It was possible to brush against an external switch and power it off accidentally. After it happened three more times, we got the message.
Along with the data center, the same practices hold true for access to the rest of the organization. Today, desktop users have access to data that we might not want someone just walking through the department to see. Remember, if you share a building with someone, as in a multi-tenant building, the tenant with the weakest security policies becomes your biggest security threat.
In an economy where companies are reducing their workforce, physical security has never been so important.